Microsoft Purview · Global & Security Roles

Compliance Administrator

Comprehensive Entra ID role with broad permissions across Microsoft Purview compliance features including DLP, retention, sensitivity labels, eDiscovery, and compliance management.

Scope: Organization-wide Microsoft Entra ID role with access to most Purview compliance features (excludes device management and Content Explorer)

Permissions

  • Retention Policies - Manage retention policies and labels across all Microsoft 365 workloads (Exchange, SharePoint, OneDrive, Teams, Copilot)
  • DLP Policies - Configure DLP policies across cloud apps, endpoints, on-premises repositories, and Exchange
  • Sensitivity Labels - Create and manage sensitivity labels and auto-labeling policies
  • Compliance Manager - Access Compliance Manager and manage assessments, improvement actions, and compliance scores
  • Information Barriers - Configure information barriers policies and organizational segments
  • Classifiers - Manage trainable classifiers, exact data match (EDM), and sensitive information types
  • Reports - View and export compliance reports, audit logs, and analytics dashboards
  • eDiscovery Standard - Manage eDiscovery (Standard) cases: search, hold, export mailboxes, sites, and Teams
  • Communication Compliance - Configure communication compliance policies and review alerts (view-only on messages)
  • Insider Risk - Manage insider risk management policies and review alerts (view-only on content)
  • Records Management - Configure records management labels, file plan, and disposition workflows
  • Alert Policies - Manage alert policies, activity alerts, and compliance notifications
  • Activity Explorer - Access Activity Explorer for user activity monitoring (list view only)
  • Adaptive Scopes - Manage adaptive scopes for dynamic policy targeting
  • Copilot Retention - Configure retention for Microsoft 365 Copilot interactions and AI-generated content
  • Administrative Units - Manage administrative units for scoped retention and DLP policies

Common use cases

  • Chief Compliance Officer or Compliance Manager with broad oversight responsibilities
  • Organizations needing a single Entra ID role for general compliance management across all Purview solutions
  • Smaller compliance teams where one person handles DLP, retention, sensitivity labels, and eDiscovery
  • Compliance consultants implementing comprehensive compliance programs for clients
  • Mid-sized organizations without specialized compliance roles (e.g., separate DLP and retention admins)
  • Managing regulatory compliance for GDPR, HIPAA, SOX, SEC, FINRA, CCPA, FERPA
  • Configuring organization-wide data protection and governance policies
  • Coordinating compliance initiatives across legal, IT, and business stakeholder groups

Best practices

  • Use this role for senior compliance staff managing overall compliance program
  • Consider using more specific roles (DLP Compliance Management, Retention Management) for team members with narrower responsibilities
  • Implement change management and peer review processes for critical policy modifications
  • Conduct regular compliance posture reviews using Compliance Manager assessments
  • Coordinate with security team on overlapping controls (DLP, insider risk, information protection)
  • Document policy decisions and regulatory basis in Compliance Manager improvement actions
  • Test policies with pilot groups before organization-wide deployment
  • Use administrative units to delegate compliance management for specific regions or business units
  • Schedule quarterly reviews of retention labels, DLP policies, and sensitivity labels
  • Maintain separation of duties: assign eDiscovery Manager to legal team, not compliance admins
  • Use adaptive scopes for dynamic policy targeting based on user attributes or department
  • Enable auditing for all compliance policy changes and review logs monthly

Security considerations

  • Broad access to compliance controls - monitor activities closely with audit logs
  • Changes to DLP or retention can impact entire organization - test thoroughly before deployment
  • Should NOT have IT admin rights (Exchange Admin, SharePoint Admin) to maintain separation of duties
  • Consider using Privileged Identity Management (PIM) for just-in-time activation
  • Cannot access Content Explorer (requires Compliance Data Administrator for sensitive content viewing)
  • Cannot manage device compliance policies (requires Compliance Data Administrator)
  • eDiscovery permissions limited to Standard tier - use eDiscovery Manager for Premium capabilities
  • Assign sparingly - only to trusted compliance professionals with proven judgment
  • Review role assignments quarterly and remove inactive or unnecessary assignments
  • Combine with MFA and conditional access policies for elevated protection

Official Microsoft Learn documentation →

Open the interactive RBACMap →